mirror of
https://github.com/open-cluster-management-io/ocm.git
synced 2026-05-14 05:07:48 +00:00
219 lines
8.2 KiB
Protocol Buffer
Generated
219 lines
8.2 KiB
Protocol Buffer
Generated
|
|
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
|
|
|
|
syntax = 'proto2';
|
|
|
|
package github.com.openshift.api.oauth.v1;
|
|
|
|
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
|
|
|
|
// Package-wide variables from generator "generated".
|
|
option go_package = "v1";
|
|
|
|
// ClusterRoleScopeRestriction describes restrictions on cluster role scopes
|
|
message ClusterRoleScopeRestriction {
|
|
// RoleNames is the list of cluster roles that can referenced. * means anything
|
|
repeated string roleNames = 1;
|
|
|
|
// Namespaces is the list of namespaces that can be referenced. * means any of them (including *)
|
|
repeated string namespaces = 2;
|
|
|
|
// AllowEscalation indicates whether you can request roles and their escalating resources
|
|
optional bool allowEscalation = 3;
|
|
}
|
|
|
|
// OAuthAccessToken describes an OAuth access token
|
|
message OAuthAccessToken {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// ClientName references the client that created this token.
|
|
optional string clientName = 2;
|
|
|
|
// ExpiresIn is the seconds from CreationTime before this token expires.
|
|
optional int64 expiresIn = 3;
|
|
|
|
// Scopes is an array of the requested scopes.
|
|
repeated string scopes = 4;
|
|
|
|
// RedirectURI is the redirection associated with the token.
|
|
optional string redirectURI = 5;
|
|
|
|
// UserName is the user name associated with this token
|
|
optional string userName = 6;
|
|
|
|
// UserUID is the unique UID associated with this token
|
|
optional string userUID = 7;
|
|
|
|
// AuthorizeToken contains the token that authorized this token
|
|
optional string authorizeToken = 8;
|
|
|
|
// RefreshToken is the value by which this token can be renewed. Can be blank.
|
|
optional string refreshToken = 9;
|
|
|
|
// InactivityTimeoutSeconds is the value in seconds, from the
|
|
// CreationTimestamp, after which this token can no longer be used.
|
|
// The value is automatically incremented when the token is used.
|
|
optional int32 inactivityTimeoutSeconds = 10;
|
|
}
|
|
|
|
// OAuthAccessTokenList is a collection of OAuth access tokens
|
|
message OAuthAccessTokenList {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// Items is the list of OAuth access tokens
|
|
repeated OAuthAccessToken items = 2;
|
|
}
|
|
|
|
// OAuthAuthorizeToken describes an OAuth authorization token
|
|
message OAuthAuthorizeToken {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// ClientName references the client that created this token.
|
|
optional string clientName = 2;
|
|
|
|
// ExpiresIn is the seconds from CreationTime before this token expires.
|
|
optional int64 expiresIn = 3;
|
|
|
|
// Scopes is an array of the requested scopes.
|
|
repeated string scopes = 4;
|
|
|
|
// RedirectURI is the redirection associated with the token.
|
|
optional string redirectURI = 5;
|
|
|
|
// State data from request
|
|
optional string state = 6;
|
|
|
|
// UserName is the user name associated with this token
|
|
optional string userName = 7;
|
|
|
|
// UserUID is the unique UID associated with this token. UserUID and UserName must both match
|
|
// for this token to be valid.
|
|
optional string userUID = 8;
|
|
|
|
// CodeChallenge is the optional code_challenge associated with this authorization code, as described in rfc7636
|
|
optional string codeChallenge = 9;
|
|
|
|
// CodeChallengeMethod is the optional code_challenge_method associated with this authorization code, as described in rfc7636
|
|
optional string codeChallengeMethod = 10;
|
|
}
|
|
|
|
// OAuthAuthorizeTokenList is a collection of OAuth authorization tokens
|
|
message OAuthAuthorizeTokenList {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// Items is the list of OAuth authorization tokens
|
|
repeated OAuthAuthorizeToken items = 2;
|
|
}
|
|
|
|
// OAuthClient describes an OAuth client
|
|
message OAuthClient {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// Secret is the unique secret associated with a client
|
|
optional string secret = 2;
|
|
|
|
// AdditionalSecrets holds other secrets that may be used to identify the client. This is useful for rotation
|
|
// and for service account token validation
|
|
repeated string additionalSecrets = 3;
|
|
|
|
// RespondWithChallenges indicates whether the client wants authentication needed responses made in the form of challenges instead of redirects
|
|
optional bool respondWithChallenges = 4;
|
|
|
|
// RedirectURIs is the valid redirection URIs associated with a client
|
|
// +patchStrategy=merge
|
|
repeated string redirectURIs = 5;
|
|
|
|
// GrantMethod is a required field which determines how to handle grants for this client.
|
|
// Valid grant handling methods are:
|
|
// - auto: always approves grant requests, useful for trusted clients
|
|
// - prompt: prompts the end user for approval of grant requests, useful for third-party clients
|
|
optional string grantMethod = 6;
|
|
|
|
// ScopeRestrictions describes which scopes this client can request. Each requested scope
|
|
// is checked against each restriction. If any restriction matches, then the scope is allowed.
|
|
// If no restriction matches, then the scope is denied.
|
|
repeated ScopeRestriction scopeRestrictions = 7;
|
|
|
|
// AccessTokenMaxAgeSeconds overrides the default access token max age for tokens granted to this client.
|
|
// 0 means no expiration.
|
|
optional int32 accessTokenMaxAgeSeconds = 8;
|
|
|
|
// AccessTokenInactivityTimeoutSeconds overrides the default token
|
|
// inactivity timeout for tokens granted to this client.
|
|
// The value represents the maximum amount of time that can occur between
|
|
// consecutive uses of the token. Tokens become invalid if they are not
|
|
// used within this temporal window. The user will need to acquire a new
|
|
// token to regain access once a token times out.
|
|
// This value needs to be set only if the default set in configuration is
|
|
// not appropriate for this client. Valid values are:
|
|
// - 0: Tokens for this client never time out
|
|
// - X: Tokens time out if there is no activity for X seconds
|
|
// The current minimum allowed value for X is 300 (5 minutes)
|
|
optional int32 accessTokenInactivityTimeoutSeconds = 9;
|
|
}
|
|
|
|
// OAuthClientAuthorization describes an authorization created by an OAuth client
|
|
message OAuthClientAuthorization {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// ClientName references the client that created this authorization
|
|
optional string clientName = 2;
|
|
|
|
// UserName is the user name that authorized this client
|
|
optional string userName = 3;
|
|
|
|
// UserUID is the unique UID associated with this authorization. UserUID and UserName
|
|
// must both match for this authorization to be valid.
|
|
optional string userUID = 4;
|
|
|
|
// Scopes is an array of the granted scopes.
|
|
repeated string scopes = 5;
|
|
}
|
|
|
|
// OAuthClientAuthorizationList is a collection of OAuth client authorizations
|
|
message OAuthClientAuthorizationList {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// Items is the list of OAuth client authorizations
|
|
repeated OAuthClientAuthorization items = 2;
|
|
}
|
|
|
|
// OAuthClientList is a collection of OAuth clients
|
|
message OAuthClientList {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// Items is the list of OAuth clients
|
|
repeated OAuthClient items = 2;
|
|
}
|
|
|
|
// OAuthRedirectReference is a reference to an OAuth redirect object.
|
|
message OAuthRedirectReference {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// The reference to an redirect object in the current namespace.
|
|
optional RedirectReference reference = 2;
|
|
}
|
|
|
|
// RedirectReference specifies the target in the current namespace that resolves into redirect URIs. Only the 'Route' kind is currently allowed.
|
|
message RedirectReference {
|
|
// The group of the target that is being referred to.
|
|
optional string group = 1;
|
|
|
|
// The kind of the target that is being referred to. Currently, only 'Route' is allowed.
|
|
optional string kind = 2;
|
|
|
|
// The name of the target that is being referred to. e.g. name of the Route.
|
|
optional string name = 3;
|
|
}
|
|
|
|
// ScopeRestriction describe one restriction on scopes. Exactly one option must be non-nil.
|
|
message ScopeRestriction {
|
|
// ExactValues means the scope has to match a particular set of strings exactly
|
|
repeated string literals = 1;
|
|
|
|
// ClusterRole describes a set of restrictions for cluster role scoping.
|
|
optional ClusterRoleScopeRestriction clusterRole = 2;
|
|
}
|
|
|